Sophos has identified the widely used instant-chat service Discord as a popular tool being used by hackers across the globe to distribute malware. These cyber threats include information stealing malware, spyware, backdoors, and ransomware.
Sophos reported that its products detected and blocked, just in the past two months, nearly 140 times the number of detections over the same period in 2020. In April, it reported over 9,500 unique URLs hosting malware on Discord’s content delivery network (CDN) to Discord representatives.
In the second quarter, Sophos detected 17,000 unique URLs in Discord’s CDN pointing to malware. This excluded the malware not hosted within Discord that leverage Discord’s application interfaces in various ways.
Discord is used by millions of gamers, and among the malicious files discovered by Sophos were game-cheating tools that target games that integrate with Discord, in-game. The tools make it possible, exploiting weaknesses in Discord’s protocols, for one player to crash the game of another player. There were other applications that were just harmless pranks.
But that was just the beginning.
Sean Gallagher and Andrew Brandt, senior threat researcher at Sophos, wrote about their research in a blog post, and said: “The greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs. The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users.
“We also encountered several ransomware families hosted in the Discord CDN—largely older ones, usable only to cause harm, as there’s no longer a way to pay the ransom. Files hosted on Discord also included multiple Android malware packages, ranging from spyware to fake apps that steal financial information or transactions.”
Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.
“Discord offers a permanent, highly available and global distribution network for malware operators, as well as a messaging system that criminals can easily convert into command and control channels for their illegal activities. Its huge user base provides an ideal environment for social engineering to steal personal and login information,” Gallagher and Brandt added in their blog.
“These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as ‘mischiefware’. The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key.
“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic to and from Discord to see what’s going on and raise the alarm if needed.”
Sophos recommended that organisations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote collaboration platforms for work-related projects.
Sophos Intercept X protects business users by detecting the actions and behaviors of malware, while Sophos Firewall inspects encrypted Transport Layer Security (TLS) traffic.
Sophos also advised that consumers should install security solutions like Sophos Home on the devices they and their families use for online communications and gaming.
